python-authlib (1.3.0-1ubuntu0.1~esm1) noble-security; urgency=medium

  * SECURITY UPDATE: JWT algorithm confusion due to missing verification
    algorithm enforcement
    - debian/patches/CVE-2024-37568.patch: Block asymmetric key material in
      `OctKey.import_key()` via unsafe key prefix checks in
      authlib/jose/rfc7518/oct_key.py
    - CVE-2024-37568
  * SECURITY UPDATE: Improper JWS critical header validation due to violating
    RFC 7515 semantics
    - debian/patches/CVE-2025-59420.patch: Add strict `crit` header enforcement
      in authlib/jose/rfc7515/jws.py and introduce
      `InvalidCritHeaderParameterNameError` in authlib/jose/errors.py
    - CVE-2025-59420
  * SECURITY UPDATE: Denial of service due to unbounded JWS/JWT segment size
    handling
    - debian/patches/CVE-2025-61920.patch: Enforce JWS input length limits
      (`MAX_CONTENT_LENGTH`) in authlib/jose/rfc7515/jws.py and
      authlib/jose/util.py
    - CVE-2025-61920
  * SECURITY UPDATE: Denial of service due to unbounded DEFLATE decompression
    of JWE compressed payload
    - debian/patches/CVE-2025-62706.patch: Bound JWE `zip=DEF` decompression
      using `MAX_SIZE` in authlib/jose/rfc7518/jwe_zips.py
    - CVE-2025-62706
  * SECURITY UPDATE: OAuth login CSRF due to state token not being bound to
    user session
    - debian/patches/CVE-2025-68158-1.patch: Require session-bound state
      validation before cache retrieval in framework_integration.py
    - debian/patches/CVE-2025-68158-2.patch: Fix authorization and token
      endpoints request empty scope parameter management
    - CVE-2025-68158

 -- Shafayat Hossain Majumder <shafayat.majumder@canonical.com>  Fri, 20 Feb 2026 09:50:51 -0500

python-authlib (1.3.0-1) unstable; urgency=medium

  * New upstream release.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 20 Dec 2023 17:09:53 -0400

python-authlib (1.2.1-1) unstable; urgency=medium

  * New upstream point-release.
  * Refresh patches.
  * Bump copyright years.
  * Bump Standards-Version to 4.6.2, no changes needed.
  * Add new doc build-depends.
  * Clean egg-info.
  * Allow authlib to be importable when building docs.
  * Run clients and jose test suites.
  * Support the nocheck build profiles.

 -- Stefano Rivera <stefanor@debian.org>  Thu, 29 Jun 2023 18:35:46 -0400

python-authlib (1.2.0-1) unstable; urgency=medium

  * New upstream release.
  * Correct copyright years.

 -- Stefano Rivera <stefanor@debian.org>  Fri, 09 Dec 2022 18:08:37 -0400

python-authlib (1.1.0-2) unstable; urgency=medium

  [ Debian Janitor ]
  * Apply multi-arch hints. + python-authlib-doc: Add Multi-Arch: foreign.

 -- Jelmer Vernooĳ <jelmer@debian.org>  Sat, 22 Oct 2022 11:44:37 +0100

python-authlib (1.1.0-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version to 4.6.1, no changes needed.
  * Bump copyright years.

 -- Stefano Rivera <stefanor@debian.org>  Sun, 25 Sep 2022 10:55:06 +0200

python-authlib (1.0.1-1) unstable; urgency=high

  * New upstream release.
    - Resolving a security bug in JWT validation (no CVE).

 -- Stefano Rivera <stefanor@debian.org>  Fri, 08 Apr 2022 11:57:52 -0400

python-authlib (1.0.0-1) unstable; urgency=medium

  * New upstream release.
  * Refresh patches.
  * Build with pybuild-plugin-pyproject.
  * Support nodoc builds.
  * Depend and Build-Depends on python3-pycryptodome for XC20P support.

 -- Stefano Rivera <stefanor@debian.org>  Fri, 18 Mar 2022 09:39:02 -0400

python-authlib (0.15.5-1) unstable; urgency=medium

  * New upstream release.
  * Drop patch werkzeug-2.0.0, superseded upstream.

 -- Stefano Rivera <stefanor@debian.org>  Tue, 19 Oct 2021 20:45:42 -0700

python-authlib (0.15.4-2) unstable; urgency=medium

  * Patch: Support werkzeug >= 2.0.0.
  * Bump Standards-Version to 4.6.0, no changes needed.
  * Bump debhelper compat level to 13.

 -- Stefano Rivera <stefanor@debian.org>  Tue, 12 Oct 2021 00:54:43 -0700

python-authlib (0.15.4-1) unstable; urgency=medium

  * New upstream point release, fixing a security issue.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 07 Jul 2021 19:32:08 -0400

python-authlib (0.15.3-1) unstable; urgency=medium

  [ Stefano Rivera ]
  * New upstream release.
  * Bump Standards-Version to 4.5.1, no changes needed.
  * Bump copyright years.

  [ Debian Janitor ]
  * Set upstream metadata fields: Repository.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 20 Jan 2021 11:21:23 -0700

python-authlib (0.15.2-1) unstable; urgency=medium

  * New upstream release.
  * Add upstream metadata.

 -- Stefano Rivera <stefanor@debian.org>  Fri, 30 Oct 2020 11:56:19 -0700

python-authlib (0.15.1-1) unstable; urgency=medium

  * New upstream release.
  * Refresh patches.
  * Build-Depend on python3-itsdangerous for tests.
  * Drop Build-Depends for starelette test suite, not shipped in upstream
    source.
  * Run the 3 test suites separately, as upstream does. They fail otherwise.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 14 Oct 2020 21:16:12 -0700

python-authlib (0.14.3-2) unstable; urgency=medium

  * Upload to unstable.
  * Update Maintainer email for DPMT & PAPT merger.
  * Update Vcs URLs for DPMT & PAPT merger.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 23 Sep 2020 13:36:52 -0700

python-authlib (0.14.3-1) experimental; urgency=low

  * Initial Release (Closes: #968644)

 -- Stefano Rivera <stefanor@debian.org>  Wed, 19 Aug 2020 15:14:48 -0700
